Practice intelligence Current as of Jun 21, 2026
OlenderFeldman

PracticeGDPR

Irish DPC \u2014 Final Decision, Permanent TSB Inquiry (GDPR)

eu Jun 21, 2026

What the law is now

The Irish Data Protection Commission published a final decision following its inquiry into Permanent TSB, a financial institution. The decision concerns GDPR compliance by a financial-sector data controller. Tracked as a net-new GDPR enforcement precedent relevant to EU-facing controllers and processors, with a financial-services dimension. [UNVERIFIED — infringed GDPR articles, penalty amount, and corrective measures not confirmed from source text.]

What just shifted

What this adds: The Irish DPC's final decision against Permanent TSB adds a financial-sector enforcement precedent under GDPR, signaling that data protection obligations apply with full regulatory force to financial institutions acting as data controllers.

What this puts in question: It puts in question whether financial-sector controllers and their technology vendors have adequately mapped data flows, documented lawful bases, and structured their processing agreements to withstand DPC-style inquiry.

What clients should weigh

·If your platform processes personal data on behalf of EU financial institutions, do your data processing agreements specify the categories of data processed, the purposes, and each party's obligations with enough precision to survive regulator review?
·Have you identified every lawful basis under which you process EU customer data, and can you produce documentation showing that those bases were assessed before processing began rather than after a complaint?
·If you are conducting or preparing for M&A diligence on an EU-facing target, does your privacy review include the target's history of DPC or supervisory authority contact, any open inquiries, and the adequacy of its data processing records?
·This addresses GDPR controller obligations in the financial-services context. It does not reach sector-specific financial regulations, employment data obligations, or GDPR requirements outside the EU.
Data Protection Commission (Ireland), final decision, Permanent TSB inquiry (2026)

Ready to use

To-be-edited before sending to a client.

Client alert

Watch item — no client alert until confirmed operative.

Blog post

Watch item — no blog post until confirmed operative.

LinkedIn

This corpus reflects one attorney's personal review. It is not a comprehensive survey. Verify scope and currency before relying on it for any matter.